CartControl panel

Security

/ TransIP Responsible disclosure policy

Security is a core priority at TransIP. We highly value the work of ethical hackers and security researchers who help us protect our systems and our users. If you’ve discovered a potential vulnerability, we would love to hear about it through the Intigriti platform 

Important: We only accept vulnerability submissions via our Intigriti bug bounty program. Reports sent via email or other means will not be eligible for a bounty. 

/ Why Intigriti?

Using Intigriti benefits both sides: 

  • A secure and trusted platform for disclosure of vulnerabilities. 
  • Structured communication and feedback. 
  • Bounty rewards for accepted reports and easy payout. 
  • Optional anonymity for researchers. 

By centralizing our vulnerability handling with Intigriti, we ensure a smooth, fair, and secure process for everyone involved.

/ Guidelines

We ask all researchers to follow these basic rules: 

  • Do not exploit vulnerabilities beyond what is necessary for proof-of-concept. 
  • Avoid impacting user data or privacy. 
  • No social engineering or physical testing. 
  • Keep your findings confidential until we’ve had a chance to fix the issue. 

If you play by the rules, we commit to: 

  • Reviewing your report promptly. 
  • Keeping you informed about progress. 
  • Rewarding you when appropriate. 
  • Never taking legal action against responsible researchers.

/ Scope

You can find the current scope and testing guidelines directly on our Intigriti page.  

/ How to report a security vulnerability?

We’ve partnered with Intigriti, a trusted bug bounty platform, to handle all responsible disclosure submissions. Our program is private, so you’ll need to be invited before you can submit a report. 

To request access: 

  • Create an account with Intigriti.
  • Email us your Intigriti username at security@nl.team.blue. 

Once invited, you’ll be able to access our Intigriti program, where you’ll find: 

  • A detailed list of in-scope and out-of-scope systems 
  • Rules of engagement for security testing 
  • Submission guidelines 
  • Potential rewards for eligible findings 

/ Hall of Fame

Stan

Helped us by informing us of a DoS vector.

LinkedIn

Remon

Helped us by alerting us about vulnerable servers. 

LinkedIn

Olivier Beg - Nick: Smiegles

Found out that it was possible to take over a subdomain which was directing to an unclaimed Cloudfront distribution. 

LinkedIn

Vivek Jain - Nick: rock2017

Found multiple small bugs which needed to be fixed to improve the overall security of our platform.

LinkedIn

Jacek Smit

Found a server which was open to the internet and was not properly configured.

LinkedIn

Yeasir Arafat

Found several XSS bugs throughout our platform. 

Website

Sandeep Kumar Yadav - Nick: SKY

Found an XSS vulnerability in the TransIP control panel. 

Facebook

Elyesa in der Maur

Found two XSS vulnerabilities within our platform. 

Website

d1m0ck

Found an open redirect on transip.nl

Twitter

Steven Prins – Nick: stepri

Helped us further improve rate-limiting in 2FA entry.

Twitter

iamsushi

Found a CSRF bug in GET requests.

Twitter

Mayur Parmar – Nick: The Cyber Cop

Found an XSS vulnerability on one of our platforms.

LinkedIn

Akash Sebastian

Helped us further improve rate-limiting in our password reset functionality.

Facebook

Pankaj Kumar Thakur

Found a content spoofing vulnerability on the TransIP website

Twitter

Elumalai vasan - Nick: 7hills

Discovered multiple CSRF vulnerabilities on one of our platforms.

LinkedIn

DIWAKAR. S - Nick: who-is-mr-robot

Discovered a bruteforce vulnerability in our frontend.

LinkedIn

Shivam Kamboj Dattana

Found information being exposed on a public interface that should not be there.

Twitter

Jatin N

Demonstrated an attack vector on one of our communications channels.

Twitter

Mohd. Danish Abid

Discovered a potential DoS attack on our main site.

LinkedIn

Lieven Gekiere

Helped us by alerting us about vulnerable server.